acpid UNIX Domain Socket Name Buffer Overflow

First of all, this is probably not a security issue since as Kurt Seifried of Red Hat Security Response Team mentioned you need administrative access to trigger this overflow. However, there might be some other way to reach this bug using an unprivileged account and thus make it a vulnerability.

So, the bug resides in ud_socket.c file and more specifically in the routine you see here from acpid 2.0.12.

You can quickly see that there is a common strcpy(3) stack based buffer overflow. The problem is that it copies the user supplied ‘name’ to ‘uds_addr.sun_path’ which is defined in /usr/include/sys/un.h header file to have the size you see below.

I guess that this is a joke or something.
The truth is that in the past I had plenty of time to play with security related stuff but currently I can barely find a couple of hours per week for coding and code auditing. I don’t think that I am able by any means to teach anyone about security.